Security & Confidentiality

Enterprise-grade protection for sensitive operational intelligence

Microsoft Fabric provides defense-in-depth security for multi-source radar intelligence data — from identity verification at the edge to encryption at rest in OneLake, every layer is hardened to protect classified operational information.

📐 Reference security architecture — showcases Microsoft Fabric's enterprise-grade security capabilities for sensitive operational data
🏗️ Foundation

Zero Trust Architecture

The entire platform follows Zero Trust principles — never trust, always verify.

Zero Trust: "Never trust, always verify"

Every access request is fully authenticated, authorized, and encrypted before granting access. No implicit trust is granted based on network location or asset ownership.

✅ Verify Explicitly

Every access request is authenticated via Microsoft Entra ID — users, services, and devices must prove identity before any data is accessible.

🔒 Use Least Privilege

RBAC enforced at every layer — workspace, lakehouse, semantic model, and row level. Users see only the data their role requires.

🛡️ Assume Breach

All data encrypted at rest and in transit. Every access logged and auditable. Anomaly detection via Microsoft Sentinel watches for suspicious patterns.

🔐 Identity

Identity & Authentication

Unified identity management across all platform components with Microsoft Entra ID.

🆔

Microsoft Entra ID

  • Single identity plane for all users and services
  • Multi-factor authentication enforcement
  • Conditional Access policies: device compliance, trusted locations, risk-based sign-in
  • Session controls: limited session lifetime, sign-in frequency
⚙️

Managed Identity

  • System-assigned or user-assigned managed identities for all service-to-service auth
  • Zero secrets in code, config, or environment variables
  • Automatic credential rotation handled by Azure platform
  • Works with Event Hub, OneLake, Key Vault, Storage — no API keys anywhere
🤝

Entra External ID (B2B)

  • Secure collaboration with partner organizations (allied forces, contractors)
  • Guest access with organization-specific policies
  • Cross-tenant access settings: control which external orgs can access what
  • No credential sharing — partners use their own Entra ID
🔑 Encryption

Data Protection

Multi-layer encryption and information protection for every byte of intelligence data.

💾

Encryption at Rest

  • All OneLake data encrypted with AES-256
  • Microsoft-managed keys (default) or Customer-managed keys (CMK) via Azure Key Vault
  • CMK enables: customer-controlled key rotation, key revocation for data destruction, compliance with sovereign data requirements
  • Double encryption option for highest classification data
🔗

Encryption in Transit

  • TLS 1.3 for all data flows (browser ↔ Fabric, Fabric ↔ Event Hub, Fabric ↔ OneLake)
  • Certificate pinning for service-to-service communication
  • No unencrypted data paths
🏷️

Microsoft Purview Information Protection

  • Sensitivity labels applied to data assets (e.g., RESTRICTED, CONFIDENTIAL, SECRET)
  • Labels flow with data — from OneLake to Power BI reports to exports
  • DLP policies: prevent accidental sharing of classified data outside authorized channels
  • Auto-labeling rules based on content inspection
🛂 Authorization

Access Control

Fine-grained, multi-dimensional access control from workspace level down to individual rows and columns.

🏢

Workspace-Level RBAC

Separate Fabric workspaces per classification level:

  • ws-radar-raw — raw sensor data (RESTRICTED)
  • ws-intelligence-fused — fused tracks and assessments (CONFIDENTIAL)
  • ws-operational-views — operational dashboards (authorized personnel)

Workspace roles: Admin, Member, Contributor, Viewer — each with defined permissions.

📊

Row-Level Security (RLS)

Power BI semantic model enforces row-level filters:

  • Sector commanders see only tracks in their area of responsibility
  • Operators see only their assigned radar data
  • Headquarters sees the complete picture

Implemented via DAX filters in the semantic model, bound to Entra ID groups.

📋

Column-Level Security (CLS)

Mask sensitive columns from unauthorized viewers:

  • Exact radar GPS coordinates masked from lower clearance levels
  • Raw SNR and processing parameters hidden from guest users
  • Track confidence scores visible only to analysts
🚫

Object-Level Security (OLS)

Hide entire tables/measures from unauthorized roles:

  • Threat assessment scores visible only to intelligence analysts
  • Raw OSINT feeds restricted to cleared personnel
📜 Compliance

Governance & Compliance

Comprehensive audit trail, data residency controls, and lifecycle management for regulatory compliance.

📝

Audit & Monitoring

  • Every data access, query, export, and share logged in Fabric audit trail
  • Integration with Microsoft Sentinel for security analytics
  • Alerts on anomalous access patterns (e.g., bulk data export, unusual hours access)
  • Compliance reports for regulatory requirements
📍

Data Residency

  • Fabric capacity pinned to specific Azure region (e.g., North Europe / Finland)
  • Data does not leave the designated region
  • Multi-Geo for specific workloads if needed
  • Compliance with GDPR, national data sovereignty requirements
🔀

Data Lineage

  • Microsoft Purview tracks data flow from sensor → ingestion → processing → visualization
  • Impact analysis: understand downstream effects of data changes
  • Lineage visualization in Purview catalog
🗂️

Retention & Lifecycle

  • Automated retention policies per data classification
  • Hot → Cool → Archive tiering for historical data
  • Secure deletion with cryptographic erasure for decommissioned data
🌐 Network

Network Security

Isolate workloads with private connectivity and firewall rules — no public internet exposure.

🔌

Private Endpoints

  • Fabric workspace accessible only via Azure Private Link
  • No public internet exposure for sensitive workloads
  • Private DNS zones for name resolution within the network
🏗️

Managed VNet

  • Fabric Spark workloads run in customer-managed VNet
  • Network isolation between different classification workspaces
  • NSG rules control inbound/outbound traffic

Trusted Workspace Access

  • OneLake firewall: restrict access to trusted Fabric workspaces only
  • Storage account firewall: allow only managed identity access
  • No anonymous or public access paths
🤝 Collaboration

Secure Collaboration

Share intelligence securely with partners, maintain control, and stay future-ready.

🔄

Cross-Organization Sharing

  • Fabric sharing with external users via Entra External ID
  • Granular control: share specific reports or views, not underlying data
  • Time-limited access tokens for temporary collaborators
  • Watermarking on shared reports for leak tracing
🔐

Customer Lockbox

  • Microsoft support cannot access customer data without explicit approval
  • All support access logged and time-limited
  • Customer approves/denies each access request
🧮

Confidential Computing (future-ready)

  • Azure Confidential Computing for processing data in hardware-secured enclaves
  • Data remains encrypted even during processing
  • Attestation-based access for highest assurance workloads
🗺️ Architecture

Security Architecture Diagram

End-to-end security layers from client to storage and analytics.

Browser / Client (TLS 1.3) │ ▼ Entra ID (MFA, Conditional Access) │ ▼ Private Endpoint / Managed VNet │ ▼ ┌─────────────────────────────────────────┐ │ Fabric Workspace (RBAC) │ │ │ │ ┌─────────────┐ ┌─────────────┐ │ │ │ Eventhouse │ │ Lakehouse │ │ │ │ (RLS/CLS) │ │ (RLS/CLS) │ │ │ └──────┬──────┘ └──────┬──────┘ │ │ └────────┬───────┘ │ │ ▼ │ │ OneLake (AES-256 / CMK) │ │ Purview Labels + Lineage │ │ │ │ │ ┌───────┴───────┐ │ │ ▼ ▼ │ │ Power BI ESRI ArcGIS │ │ (RLS/OLS) (Secure Layers) │ │ │ │ │ │ └───────┬───────┘ │ │ ▼ │ │ Audit LogMicrosoft Sentinel │ └─────────────────────────────────────────┘